mCrime; Hacking Mobile Phones for Identity Theft

Robert Siciliano Identity Theft Expert

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone.

Fifteen years ago, cell phones were so bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today. A cell phone can pretty much do everything a PC can do, including online shopping, banking, and merchant credit card processing.

The personal computer started out slow and stodgy, and was mainly used for things like word processing and solitaire. Today, PCs are fast, multimedia machines, capable of performing amazing tasks.

There are consequences to the rapid evolution of these technologies.

A decade ago, during the slow, dial up era, hackers (and, in the beginning, phreakers) hacked for fun and fame. Many wreaked havoc, causing problems that crippled major networks. And they did it without today’s sophisticated technology.

Meanwhile, the dot-com boom and bust occurred. Then, as e-commerce picked up speed, high speed and broadband connections made it easier to shop and bank online, quickly and efficiently. Around 2003, social networking was born, in the form of online dating services and Friendster. PCs became integral to our fiscal and social lives. We funneled all our personal and financial information onto our computers, and spent more and more of our time on the Internet. And the speed of technology began to drastically outpace the speed of security. Seeing an opportunity, hackers began hacking for profit, rather than fun and fame.

Now, iPhones and other smart phones have become revolutionary computers themselves. For the next generation, the phone is replacing the PC. AT&T recently announced that they’ll be upping the speed of the latest version of their 3G network, doubling download speeds. It has been reported that the next iPhone will have 32 gigabytes. That’s more hard drive than my three year old laptop.

So naturally, criminal hackers are considering the possibilities offered by cell phones today, just as they were looking at computers five years ago.

Two things have changed the game: the speed and advancement of technology and spyware. Spyware was created as a legitimate technology for PCs. Spyware tracks and records social network activities, online searches, chats, instant messages, emails sent and received, websites visited, keystrokes typed and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. Parents can use spyware to monitor their young children’s surfing habits and employers can make sure their employees are working, as opposed to surfing for porn all day.

Criminal hackers created a cocktail of viruses and spyware, which allows for the infection and duplication of a virus that gives the criminal total, remote access to the user’s data. This same technology is being introduced to cell phones as “snoopware.” Legitimate uses for snoopware on phones do exist: silently recording caller information, seeing GPS positions, monitoring kids’ and employees’ mobile web and text messaging activities. Criminal hackers have taken the snoopware and spyware technology even further. Major technology companies agree that almost any cell phone can be hacked into and remotely controlled. Malicious software can be sent to the intended victim disguised as a picture or audio clip, and when the victim clicks on it, malware is installed.

One virus, called “Red Browser,” was created specifically to infect mobile phones using Java. It can be installed directly on a phone, should physical access be obtained, or this malicious software can be disguised as a harmless download. Bluetooth infared is also a point of vulnerability. Once installed, the Red Browser virus allows the hacker to remotely control the phone and its features, such as the camera and microphone.

While this may sound improbable, I’ve consulted and appeared on television (Tyra Banks and Fox) with an entire family that seems to have been victimized by every aspect of snoopware. The Kuykendalls, of Tacoma, Washington, found that several of their phones had been hijacked in order to spy on them. They say the hacker was able to turn a compromised phone on and off, use the phone’s camera to take pictures, and use the speakerphone as a bug. Ever since the program featuring the Kuykendalls’ story aired and continues to repeat, I’ve received dozens of emails from people around the world who have experienced the same thing. Many of these people seem totally overwhelmed by what has happened to them, and some are beginning to suffer financial losses.

If history is any indication of the future, mobile phones, just like computers, will soon be regularly hacked for financial gain. Prepare for mCrime in the form of credit card fraud, identity theft and data breaches.

Some Internet security software providers are beginning to offer software specifically for mobile phones. In the meantime, identity theft protection services are one line of defense against the latest cybercrime techniques.

Robert Siciliano, identity theft speaker, discusses hacked cell phones.

Typosquatting on Twitter and other social networks

Robert Siciliano Identity Theft Expert

Typosquatting, which is also known as URL hijacking, is a form of cybersquatting that targets Internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter. This can lead to financial or social media identity theftPhishing is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.tvviter

Scammers recently created a website imitating Twitter.com, and have been sending phishing emails to millions of users, many of whom click on the link contained within the emails, which sends them to the phishing site, where they enter their user names and passwords in order to log in.

The site is Tvviter.com, spelled with two V’s instead of a W. This is a form of “TypoPhishing”. I doubt anyone is going to inadvertently typo two V’s, but it’s certainly a creative ruse by the criminal hackers. This website is currently live. Assuming that your browser is up to date, it should alert you to the fact that Tvviter.com is a suspected phishing site.  Tweet.ro is another phishing website, which my up to date browser did not warn me about. Notice that neither web address is hyperlinked here. I would not suggest playing around on these sites. At any time, the creators can easily introduce malware to these sites, and then onto your outdated operating system or browser in the form of a “drive by” hack, which ultimately leads us back to identity theft and fraud.

tvviter1If you decide to play in the devil’s den, you are bound to get burnt.

Forward this blog post to your contacts. Let people know, so that they won’t be fooled. This scam may stick if the site isn’t taken down by the time this warning is read. Don’t get hooked. And protect yourself with Internet security software and identity theft protection.

Robert Siciliano, identity theft speaker, discusses phishing.

How to prevent social media identity theft

Robert Siciliano Identity Theft Expert

Two words: you can’t. However, there are several things you can and should do in order to manage your social media identity, which may prevent social media identity theft. What exactly is social media identity theft? It’s a form of cybersquatting using social media sites.

If you’ve ever attempted to join a social media, more commonly known as a social networking site, or applied for an email account, and found that your first and last name were already taken, that may or may not have been social media identity theft, or cybersquatting.

There may be someone out there who shares your exact name and happened to register first, or else there is someone out there who took your name so that you can’t have it, or who wants to sell it back to you, or wants to pose as you and disrupt your life. These are all possibilities.

The most damaging possibility occurs when someone wants to pose as you in order to disrupt your life. This disruption can take on many forms. They may pose as you in order to harass and stalk you, or to harass and stalk people you know. Or they may steal your social media identity for financial gain. Throughout my years working in the field of financial crimes and identity theft, I’ve seen plenty of social media identity theft that led to financial loss. The thieves use a combination of email and social media to extract funds from others, or to open new accounts.

There are hundreds, or maybe even thousands, of social media sites (FacebookMySpaceTwitterYouTube), web-based email providers (hotmail.com, gmail.com, yahoo.com) and domain extensions (.com, .net, .biz). Then there are all the blog portals, such as WordPress and Blogspot. Even your local online newspaper has a place for user comments, and most people would want to register their own names before someone else comments on their behalf.

Social media websites offer the option to provide your real name as well as a user name. The user name may be a fun chat handle or an abbreviation of your real name. The key is to give your real name where requested and also to use your real name as your user name. Even if you don’t plan on spending any time on the site, or to use the domain or email, you want to establish control over it.

The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters. Your ideal name, for example would be twitter.com/RobertSicilianoRobertSiciliano.com, orRobertSiciliano@anymail.com. This strategy won’t prevent someone else from registering with your name and adding a dot or a dash, but it trims down the options for a thief.

Some names are very common, or are also owned by someone famous. If that applies to your name, you can still take actions to manage your online reputation. If there is any uniqueness to your name or the spelling of your name, it’s still a good idea to claim your name in social media and work toward managing your online reputation.

Understand that your name is your brand. Your name is front and center on every document you sign and every website that shows up when your name is searched. The phrase, “All I have is my good name,” has never rung truer than today. If you are a writer, blogger, personality of any sort, or anyone who “puts it out there,” you probably already know enough to do these things. But there is more to do.

If someone, perhaps a potential employer or mate or client, searches your name on Google Web, Google Blogs or Google News, what will they find? Will it be someone else posing as you? Will it be a picture of you doing a keg stand? Or will it be you in your nicest outfit, accepting an award for an accomplishment? Either way, you need to manage your online identity and work toward preventing social media identity theft.

This isn’t an easy task. Nor is it fun. It can be time consuming and almost overwhelming. But I believe that the long term rewards are worth it.

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Consider dropping $65 on Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 120 social media sites. Their top 120 is debatable, but a great start. The user experience with Knowem is relatively painless. There is still labor involved in setting things up and with some of the 120. And no matter what you do, you will still find it difficult to complete the registration with all 120 sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
  5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
  6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
  7. Or do nothing and don’t worry about it. But when some other John Doe does something stupid or uses your name in a disparaging way or for identity theft, and people assume that it’s you, remember that I told you so.
  8. Despite all the work you may do to protect yourself, you still need identity theft protection and Internet security software.

Robert Siciliano, identity theft speaker, discusses social media privacy.

ATM Skimmer Defeated By Customer

Identity Theft Expert Robert Siciliano

Its not often that I get to report on the victim becoming the victor. It’s nice to see the good guys win one.

I met a charismatic gent on FOX and Friends named Sean Seibel. Sean has a unique job title at Microsoft: User Experience Evangelist. Sean’s job is to be on top of what’s new and what’s next in technology, in the next 5-7 years. He’s a futurist. He and I spoke in the green room of the show before we appeared together on a segment regarding ATM skimming.

ATM skimming often results in forms of identity theft, credit card fraud or bank fraud.

To be a User Experience Evangelist requires a certain vision, insight and the ability to go beyond what’s current or obvious. Sean proved his ability to see “more” by trumping a gang of identity thieves who set out to steal millions from ATMs but “only” got away with $500,000.

Sean stopped at an ATM to get some cash to pay his barber. When he inserted his ATM card in the machine, he noticed a bit of resistance. Most people wouldn’t think twice about this. But Sean doesn’t think like most people. Then the screen said the machine was unable to read his card so he tried again. The second time, the machine gave him an error message. Before he tried again, he thought about a report he had heard about devices that fraudsters attach to the outside of card readers on ATM machines and wondered if that was the source of his problem.

He says, “I’m looking at the thing and thinking, this can’t be. No way. There are all these stories and myths about it, but I actually found one in the wild.”

Sean was face to face with an ATM skimmer, one that he had just swiped his card through. His heart started pounding. Adrenalin was rushing through his body. He was concerned, not just that he might be scammed, but that criminals might be very close by, maybe even behind him or watching him. However, that did not deter him.

Sean says, “I tried to pull on the green plastic surrounding the card slot and found that it peeled right off.” This plastic ATM skimmer had an SD card built into it to store all the stolen data. Sean went into the bank and notified the branch manager, who had never seen an ATM skimmer and didn’t know what to do. She took the skimmer and thanked Sean.

Then Sean remembered, from numerous reports about ATM skimming, that there are usually 2 parts to the ATM skimmer. One is the skimming device itself, the second is a micro-camera placed somewhere on the machine, where it 1arecords the user’s PIN. The camera is often installed in a false brochure holder that taped to the ATM. In this case, it was behind a small mirror that alerts the ATM user to beware of “shoulder surfers.”

Sean went back to the still operational ATM, where people were waiting in line for their cash, and noticed a tiny video camera behind an extra mirror attached to the machine, positioned right over the key pad where it could record user’s PINs. Not being a bank employee and not wanting to alarm any of the people iwaiting, he actually got in line, waited his turn (knowing that the skimmer was gone and nobody was in danger) and pulled the camera off the ATM.

He brought the camera to the bank manager, who replied by saying, “Maybe we should shut 2b*that machine down, huh?” Sean said, “I think that’s a good idea.” The bank manager contacted bank security, shut down the machine and alerted other area banks. The identity thieves netted $500,000 from their scam, rather than the millions they might have stolen had Sean Seibel not foiled their operation.

Bank branch manager…ZERO
Identity Thieves……….$500,000
Sean Seibel foiling their operation and becoming a hero to many….Priceless.

Some great tips from Marite Ferrero, of CardSwitch Technology:

  • Skimming has been and will continue to be the most common type of ATM-related fraud.
  • Criminals attach skimming devices over card slots on ATMs to steal data as the machine reads the card’s magnetic strip.
  • Hidden cameras record victims typing in their PIN codes.
  • More sophisticated criminals use wireless keypad overlays, which transmit PINs to a nearby laptop, instead 3bof cameras.
  • The U.S. Secret Service estimates that annual losses from ATM skimming total about $1 billion each year, or $350,000 a day.
  • Bank ATMs are more vulnerable than standalone ATMs.
  • Standalone ATMs in grocery stores or on the street use technology that encrypts the PIN pad, making them more difficult for criminals to hack.
  • Standalone ATMs are often positioned near the watchful eye of cashiers or store owners, so it’s harder to install skimmers without being caught.
  • Bank ATMs are also more highly trafficked, which means a bigger potential payoff for the criminals.

Also, invest in identity theft protection and make to update your PC’s McAfee internet security software.

Identity theft expert Robert Siciliano discusses ATM skimming.

Data Breaches; LexisNexis – FAA Hacked, Botnets Grow, Hackers Hold Data Ransom

Identity Theft Expert

What a week. Just when it starts to get boring, criminal hackers put on a spectacular show.

Criminal hackers continue to step up to the plate. Security professionals are fighting, and sometimes losing, the battle. Here’s one week’s worth of hacks:

Lexis Nexis, which owns ChoicePoint, an information broker I recently blogged about that was hacked in 2005, was just hacked again this week. On Friday, LexisNexis Group notified more than 32,000 people that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter. (Check your credit reports and examine        your credit card statements carefully!)

CNET reports that hackers broke into FAA air traffic control systems, too. The hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, for 48,000 current and former FAA employees. In a House Oversight and Government Reform Subcommittee testimony, it was stated, “FAA computer systems were hacked and, as the FAA increases its dependence on modern IP-based networks, the risk of the intentional disruption of commercial air traffic has increased.”

Computerworld reports that a hacker has threatened to expose health data and is demanding $10 million. Good for him, bad for the Virginia Department of Health Professions. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted  more than 8 million patient records and 35 million prescriptions and then deleted the original data. “Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh,” posted the hacker. Holding data hostage is nothing new, but it is      becoming increasingly common.

The Register reports that bot-herders have taken control of 12 million new IP addresses in the first quarter of 2009, a 50% increase since the last quarter of 2008, according to an Internet security report from McAfee. The infamous Conficker superworm has occupied all the headlines, and makes a big contribution to the overall figure of compromised Windows PCs, but other strains of malware collectively make a big contribution to this number. McAfee’s Threat Report notes that the US is home to 18% of botnet-infected computers.

While you can’t do much about others being irresponsible with your data, you can protect your identity, to a degree. Consider investing in identity theft protection and always keep your Internet security software updated.

Robert Siciliano, identity theft speaker, discusses Ransomware.

Lie to Me; Social Engineering and Bold Face Cons

Identity Theft Expert

If only our noses grew every time we lied. Life would be so transparent.

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Call them con men, grifters, scammers, or thieves. Or simply call them liars. Lying is what they do best. They stare you in the eyes and lie through their teeth. They do it casually and with such conviction that we have no reason not to believe them. Their craft and skill is a remorseless trait called social engineering, which is also known as pre-texting.

Lying is a learned behavior. One day as children we stumble upon a situation, one that we created or were a party to, and we are confronted by someone in authority. Most likely mom, dad, or a teacher. We are asked a question and we respond with what we think they want to hear, as opposed to the truth. We lie. They believe us and we are relieved of the burden of truth’s consequences.

We then use this tool throughout life whenever we feel it will outweigh the benefits of honesty. “Sir, did you know you were speeding?” We lie to others, we lie to ourselves, we all lie to a degree. It’s a survival mechanism. But some people are absolute professionals at it and take it way beyond what’s a reasonable lie. Their entire life’s motivation is to get out of bed in the morning and use deception to take what belongs to others. Liars often have a form of anti-social personality disorder. They lack empathy for others’ feelings. They aren’t concerned about the consequences of their actions and the potential harm it may do others. Many in prison are said to have this “ailment.”

Laws are created because of man’s behaviors, and the fact that man lies. Laws protect man from himself and from others.

Liars are often so good that they end up in a position of authority and trust. They could be heads of state, CEOs of corporations, judges, a significant other, or even a member of the clergy. For the past year, I’ve been corresponding with a minister who was convicted of identity theft and received an 18 month sentence. He’s asking me to testify on his behalf in an appeal.

What compounds the problem is the naïveté of civilized human beings. We are raised to love and respect, to be kind and cordial. We are taught to behave ourselves and tell the truth. And we expect others to act in kind. Trust is the foundation of functioning in a civilized society. Without a degree of trust in everyone and everything, we’d cease to move in a forward direction, always in fear of dire consequences of venturing out. If we didn’t inherently trust, how could we possibly get behind the wheel of a car and drive down a two way street, with nothing but a yellow painted line separating us from a head-on collision and imminent death?

I often hear people say, “I don’t trust anyone,” or advise others never to trust anyone else. And they are liars, too. Because they do trust.

When someone lies in our presence, we can sometimes smell a skunk. One on one contact provides us with numerous telltale signals of truth and lies. Human communication relies not just on words, but on body language and tone of voice. Believe it or not, we all exude energy towards others. Sometimes that energy is positive or negative. A negative energy coupled with certain neuro-linguistics can send a ping to our bellies and prompt the hair on the back of our necks to raise, signaling a primordial instinct to beware of a cheat in our presence.

Technology has made it easier than ever for liars to perfect their craft. We see thousands of scams and ruses pulled every day. The key is to understand the lures, motivations, and tactics of the con. When you can sense a snake-oil salesman and “see them from a mile away,” you are much safer and more secure than those who assume it can’t happen to them.

Trust is a fundamental and necessary part of life. But a degree of cynicism can go a long way. Because liars lie, invest in identity theft protection and make sure your PC has McAfee Internet security software.

Identity theft speaker Robert Siciliano discusses identity theft with a real conman.

Privacy Is Dead, Identity Theft Prospers

My information is in lots and lots of different places. I sacrifice a lot of privacy because of the nature of my business. If I wasnt so dependant on eyeballs I’d live much differently. However to participate in society on any level, privacy becomes a dead issue. Accept it. Or live in the jungle in Africa.

A CEO of a major software company declares, “You have zero privacy, get over it.” In response, the FTC states, “Millions of American consumers tell us that privacy is a grave concern to them when they are thinking about shopping online.”

Do you agree? Is privacy dead? Do you share your “status” on Facebook? Twitter? Do you have a MySpace page? A blog? Do you post your family photos on any of the above, or on Flicker?

The statement, “You have zero privacy, get over it,” was made by Scott McNealy, former chief executive officer of Sun Microsystems, in 1999. That was 10 years ago. Before the phrase “social networking” or the word “blog” entered our lexicon.

Here we are in 2009, when that statement is 100 times more true than it was 10 years ago. When you ask people if they are concerned about online privacy, they respond with a big, loud, angry “YES!” Then they hypocritically use their Facebook pages to inform the world that they are about to go on vacation. Which means that the lights are off and nobody’s home.

It isn’t just web users voluntarily giving up their privacy, it’s also corporations and government agencies gathering data as a form of intelligence. This data might be used to sell you something or it could be used to protect us in the form of Homeland Security.

Our personal information can be bought and sold. “Information brokers” sell our data to anyone with a credit card. One of the largest publicly traded information brokers in the world is a company called ChoicePoint. Last time I checked, they had 19 billion records on file. And one of their biggest customers is the US government.

So even if you don’t update your Facebook status to tell the world you just made a tuna sandwich, chances are, your phone number, your most recent address, or even your anonymous chat handle can be found on Zabasearch.com or iSearch.com. If you’ve ever committed a felony, your data may be on CriminalSearches.com Heck, just Google yourself.

At least head to Facebook and lock down your privacy settings. You get to them from the Settings –> Privacy Settings menu.

If you are reading this, you are participating in society. The price you pay is sacraficing your personal identifying information in order to get an Internet connection, credit, a car, medical attention, to go to school or buy a pair of shoes. While many citizens scream against Big Brother and corporate America abusing their trust, many will also give up all their privacy for ten% off a new pair of shoes.

All this makes it very easy for criminal hackers to commit identity theft. They use this available data to become you. Since your data is already out there, you’d better invest in identity theft protection and make sure your PC is up to date with Internet security software.

For more information, I recommend You Have Zero Privacy – Enjoy It! by Mike Spinny, and Cyberwar’s First Casualty: Your Privacy by Preston Gralla and Why give up Privacy? by Bob Sullivan

Robert Siciliano, identity theft expert, discusses background checks.